Monday 2 April 2007

Digital Self Defence

I’m back from Black Hat Europe 2007. Black Hat’s theme is “Digital Self Defence”, and that is just what I did. Because I took a reverse engineering training by Halvar Flake, I had to take my Windows laptop with me. I explain how I protected my Windows laptop when accessing an insecure wireless network at the conference.

The threats I faced when enabling my wireless connection at the conference were:

someone compromising the integrity of my system

confidential data theft

credentials theft

In a normal situation I protect my OS and data with these procedures and tools:

keeping my OS and software patched

running McAfee Anti-Virus and update it

running Kerio’s free Personal Firewall

connecting to the Internet with a NAT router

using a WPA secured WiFi connection

using FireFox with NoScript and CookieSafe for web browsing

storing all my data in a TrueCrypt volume

making regular system backups with Acronis TrueImage on a dedicated USB hard disk

using a non-admin account

At home, before I left for the conference, I took a full backup of my laptop.

In the hotel, there was unencrypted, free WiFi available in the rooms and on the conference floor. My laptop has a (hardware) switch to disable WiFi. I would only switch it on when I really needed to access the Internet. And by preference in my hotel room on the 16th floor, not on the conference floor.

Each time I enabled WiFi access, I unmounted the TrueCrypt volume with all my data.

Whenever I accessed a website that needed credentials (like Gmail), I made sure that it used HTTPS or else I would use TOR as a proxy (I didn’t use TOR all the time because of the slow connection).

For the training, I installed a new virtual machine (with VMware), and installed all the software Halvar gave us and did all the exercises on this machine.

My hotel room had a laptop safe, and I would always store my laptop in it whenever I didn’t need it.

I didn’t notice an incident on my laptop when I was at Black Hat. But back home, I decided to restore my laptop, not because I feared my laptop was compromised, but mainly as an exercise to test my backup procedure.

Here is how I did it:

make a new backup of my laptop, just in case the restore goes wrong

copy my TrueCrypt volume with data and the training virtual machine to an USB hard disk, because I need to keep this

restore the backup from before the conference

copy my TrueCrypt volume with data from the USB hard disk back to the laptop

It took a long time, but the procedure is simple and everything went fine. I learned that the Acronis True Image’s progress bar during the restore is confusing. The time remaining would increase, not decrease. At the end, it was 5 hours, and then Acronis True Image rebooted my laptop. Windows was running normal, and connected immediately to my WiFi network at home. All traces of the WiFi network at Black Hat were gone.

> “Whenever I accessed a website that needed credentials (like Gmail), I made sure that it used HTTPS or else I would use TOR as a proxy (I didn’t use TOR all the time because of the slow connection).”

Did you know that by default the GX session cookie used by gmail will be provided whether or not the session is https? This means that somebody could supply a redirect in response to one of your unencrypted wireless URL requests, and have it go to gmail via http rather than https. Your browser would then happily upload the session cookie in the clear so that it could be snarfed and used to impersonate you. Check out H. D. Moore’s Karma/Metasploit integration for more wireless exploitation.

If forced to use an unencrypted wireless network at a hacking convention, I would first establish a VPN tunnel to another secure location such as work, and then ensure that all of my application traffic was going through that tunnel (split tunneling is a bad thing).

Personally, I think anybody who offers unencrypted wireless access to the public (Starbucks, this means you!) deserves all of the lawsuits they will eventually be served with when the public figures out what terrible risks using it exposes them to.

I did some tests and the Gmail GX session cookie is an HTTPS cookie if you configured your Gmail account to use HTTPS only. If you don’t, then it is a normal cookie.

Last year I didn’t use TOR, but my own SSH tunnel. And this year, I even refused to use the wireless network for services that required authentication. For example, I read my e-mail on my mobile over 3G.